Friday, January 07, 2011

Open letter to OWASP

The OWASP Summit 2011 in Portugal is coming up soon! This is an opportunity for the community’s leaders and influencers to discuss the future of the organization and that of the application security industry. The working sessions are creative, diverse and forward-thinking, designed to direct standards, establish roadmaps, and improve organizational governance. Unfortunately I’ve a conflict in my schedule and unable to attend, but I am excited to be presenting at IT-Defense in Germany. Fortunately for me Jeff Williams (OWASP Chairman) put a call out for feedback on the Summit’s. Since I can’t be physically present, I’ve taken this as opportunity to share my thoughts for organizers and attendees to consider.

Before getting to the list, I’d like to remind everyone that I was personally present many years ago at the beginnings of OWASP. Since then I’ve contributed to many different projects where I prefer to spend my time. I’ve visited over a dozen local OWASP chapters, including several international conferences to present, where I met new people and shared ideas. Written blog posts and articles directing people to OWASP materials. Through sponsorship dollars from WhiteHat Security, we’ve financially supported the good work the organization does. So with this in mind, please take the following as purely constructive with a desire for OWASP and the industry at large to flourish.

1) Hold a Board of Directors VoteTo my knowledge, and I’m open to correction, OWASP has never had an official Board of Directors vote. At least not one where membership could participate. Is this covered in the by-laws? It should be. Update: Indeed I have been corrected. See Dan Cornell's comment below that nicely detail a 2009 membership vote that resulted in the addition of two new BoD seats. Embarrasing that I missed this. I'm told (via twitter) that after the summit there will be an plan laid out where half the current seats will go out for a vote. Progress!

OWASP is a community of volunteers and like any community it should be managed openly and democratically. I love the fact that the budget itself has been made transparent. Holding a BoD vote would increase confidence in the organization and establish personal ownership and accountability in OWASP’s future. A future where a someones individual contribution, commitment, and merit may be rewarded with a position of greater influence and responsibility.

I do not make this recommendation lightly as I know most of the current board members personally, whom I respect, who have given so much of themselves over the many years, and deserve our appreciation. They’ve done a remarkable job and this is in no way should be considered an indictment. I’m saying that for OWASP to continue to thrive, room must be made at the top most levels for new participants with fresh ideas.

2) It is time for an OWASP Chief Executive OfficerOWASP would be well-served by the creation of a President / CEO position just like Mozilla and other highly successful non-profits. A full-time person responsible for the day-to-day operational affairs and growing the organization. A go to person for global committee members, project leaders, members, sponsors, press, etc. who has the authority to make decisions and get stuff done expeditiously. OWASP generates enough revenue, with sufficient growth, and has enough stuff to easily justify such a position. No doubt others besides myself have experienced much internal confusion and disorganization within that stifles and frustrates those seeking to contribute. The right person could help clean all that up and make things much more efficient and productive.

Second, this person also must serve as an industry cheerleader. It is vital that someone representing OWASP is constantly out there raising awareness and sharing why its a good idea for every developer, security professional, and software generating organization to be involved. Someone who can meet personally with CEOs, CIOs, CTOs, and CSOs of organizations large and small to gain their support. Obviously this can’t happen on a part-time basis with people employed by for-profit “vendors.”

3) Less preaching to the choir, engage more with the outsidersEveryone in the community recognizes the echo chamber issue. We know the vast majority of who we need to reach, those who do not voluntarily come to us, the application security industry. So of course they have no way of knowing why the work we do is important, how it affects the safety and privacy in their lives, and the viability of online business. Without addressing this issue, the summit runs the risk of perpetuation the problem. I’ve been as guilty as anyone. Therefore instead of continuing to expect people to come to us over the last several years I’ve been transitioning to going to where they are, and with much success! OWASP should do the same to spread the word and take itself to the next level.

For example, OWASP representatives could attend, sponsor, and present at every possible non-security conference such as JavaOne, F8, Google I/O, any O'Reilly event, Star East/Web and so on where thousands of developers gather. In my experience at these events, when in their own element, developers are eager to learn about the state-of-the-art in application security, especially when presented in a way where they can derive value immediately when they get back to work. These attendees also represent a segment of developers who really care about their software. OWASP should proactively reach out to conference organizers with menu of official up-to-date topics and facilitate the CFP process on behalf of qualified representatives. Or, better still, offer to establish and manage an entire security track! Done right with a call to action, this alone would drive much needed membership.

4) Investment justificationMountains of documentation on what organizations “should be doing,” are already available. Information security professionals are desperate for resources in how to justify to the business why an investment in application security is crucial. Effective application security programs aren’t easy or cheap to build. They require real organizational change and budget dollars to involve people, process, technology, and services. The justification cannot be because it’s “the right thing to do,” “PCI-DSS said so,” or “the APTs will get us!” That’s unconvincing and mind numbingly old. OWASP can help everyone do better.

One way is by capturing success stories from the OWASP corporate and individual membership. Real people, real companies, who are named, documented, and publicly highlighted. Ask them share how much OWASP materials helped them. What they did exactly and how it positively impacted the organization. Ask them to quantify some metrics in how much they are investing, how they are budgeting, all of which creates a watermark for others. These stories are key proof points their peers can use to follow the paths paved by early adopters.

5) Directly get involved with the PCI-DSSPCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do “security.” As has been said privately to me, “What is OWASP except a bunch of crap I have to deal with for PCI?” This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS’s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.

Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise.

There you have it, my thoughts. I have more ideas, but I think that’s enough to chew on for now. :)

@Tom: Thanks. I am actually involved and helping in a couple of OWASP project, albeit behind the scenes. Prefer to silently assist others in their efforts. As much as I agree with unification, no way has that been a major gating item holding the industry back. Gotta prioritize.

Speaking of which, I'm looking at the topic and session list on the site. Perhaps I'm missing it somewhere, but nothing of what I've covered is there. Point me in the right direction?

I wanted to clear up one point: there was an election held in November of 2009 around the time of the OWASP DC conference where two new board members were elected. OWASP Members were the ones who were allowed to vote.

The people who were allowed to vote were the paid OWASP Individual Members (see more information about becoming an OWASP Member here) as well as a group of individuals who were given Honorary Memberships. The Honorary Memberships were provided to folks who had acted as chapter and project leaders in the past.

The vote was handled online via the services of VoteNet and was publicized on the OWASP Wiki, OWASP mailing lists, in-person at the OWASP DC conference, and in several emails to all individuals who were eligible to vote.

A number of people supported the voting process, but I largely ran it so if folks have any questions / comments / issues please direct them to me (dan dot cornell at owasp dot org) There were a couple of glitches we worked through and a handful of folks had constructive feedback. We captured all this and will be using it to make future votes even better. The largest issues stemmed from questions of "who is an OWASP Member?" and "how do we get in touch with them?" and those have largely been addressed with the adoption of new membership tracking systems.

Given that it was the first time OWASP had attempted a vote involving all Members I felt that it was overall a success and resulted in a fair election.

There are plans for an upcoming vote on the OWASP Board. It is not scheduled to be held at the Summit, but the details for it should be released at the Summit.

Again thanks for posting this letter. It makes great observations and should provide for an even more productive and valuable Summit.

These are great ideas, and for the most part ones that we've been trying to figure out how to do. I know it was twittered, but I want to make sure that everyone knows that we did have a member vote for the Board in 2009 and will have more as good candidates arise. We've strived to be radically open about everything, even our complete finances.

@Dan: thank you for the correction. I've updated my post to reflect the oversight. Agreed, that vote must have been a good learning experience for the next time around.

@Jeff: Yes indeed. The post is updated and I'll circulate the correction via twitter. Speaking only for myself, votes must happen with or without the availability of a several "good" candidates. If there aren't any new ones that the membership like, I would suspect the current folks would win the day and hold onto their positions. I guess that's a way of saying I'm not for arbitrary term limits.

Thanks for bringing up these relevant points. I like the idea of a having a CEO for the org. We are at the size where that could be very useful for the organization.

I also am glad to see the budget is open. We have to be sure not to fall into the trap of spending money on perks (I am looking at you ISC2) for those at the top of the org.

On your point about engaging with those outside of security, I concur. In Austin, we have been talking about regularly visiting the developer groups around town (Ruby, php, drupal...) and we don't do as good as a job of it as we should but hopefully in 2011 we will engage more with other local groups. Because I believe there is one surefire way to break down the wall between security and developers: face time.

As someone who until fairly recently was deeply involved day-in, day-out with webapp security (and actively involved in OWASP projects) - but who now focused on other realms of security research - I'm disappointed that OWASP has failed to achieve its full potential.

OWASP needs to cross the chasm and address webapp security in the language that businesses can understand and action against. These businesses don't need to be preached to about technical inadequacies, what they need is specific guidance for their business vertical using the vocabulary they themselves use. And, more specifically, they need directly applicable worked-through examples of how their business will benefit from the proposed changes.

OWASP's traditional unguided "build it and they will come" approach has been largely unsuccessful and has had unexpected consequences (such as the PCI-DSS example).

Just like we can't expect a physicist to undertake a heart transplant just because someone handed him a medical journal detailing the process, we shouldn't be expecting embedded system engineers to pick up the OWASP application testing guide and suddenly producing secure code.

I think the foremost reason why OWASP hasn't been able to reach out to the developer community is a fairly ignorant attitude to software development.

In IT security I constantly meet experts who say "I used to code" and claim that they know software craftmanship because of that. If you poke them you quickly understand that "used to code" means non-enterprise, command-line Pascal hacks done in Emacs back in the nineties.

Then these security experts try to communicate with real developers who manage hundred thousand lines of Java, C#, Python, PHP, or JavaScript. Developers who know their IDEs, who read blogs and books on refactoring, unit testing, design patterns, and clean code. Developers who on a daily basis produce business enabling features and functions. Needless to say the security expert fails in convincing these developers that he or she knows what's really important.

To start with, security is at the bottom of the software food chain. Before security you deal with features & functions, uptime, usability, performance, and maintainability. Then security. So when we meet with developers we need to be humble. They create more business and value for their organizations than we do.

Secondly, security experts need not only meet with developers and business people. We need to learn what they do, how they do it, and why they do it. Mocking developers because you found a bug with your fuzzer won't build trust and produce more secure software in the long run.

Finally, OWASP needs to put into place processes that avoid conservatism. Mankind always defaults to conserving what's already there. So we have a Board. So we have a Top 10 list. So we have preaching-for-the-choir AppSec conferences. "We're doing alright, why change?" I say – max 4 consecutive years as Board member, work with PCI on the sequel of Top 10, and co-locate AppSec with developer conferences. The latter would hopefully shake to life some of the Powerpoint pushers who now populate the AppSec tracks.

I like the idea of OWASP getting directly involved in developer conferences, sponsoring and trying to get security on the agenda. I agree that this is important, I've blogged about it before and will be speaking about it on a panel at the SANS Appsec conference in March. John's idea that OWASP Appsec should be co-located with a major developer conference builds on this, another excellent idea.

Anything that we can do to get developers and security experts working closer together is important and necessary.

My own $.02: I've been following many of the OWASP projects, I'm concerned with others that OWASP may be becoming more inward looking. For example, a lot of time and energy is being spent on reorganizing projects to fit with ASVS. I can see that this will eventually build to a compliance model of some kind, but from a developer perspective it adds nothing, and if anything makes the material less approachable.

From what I can see the most important project after the Top10 may be ESAPI. If ESAPI really works (and I can't tell from looking at incomplete and out of date documentation and work in progress wiki stuff), and not just for Java, then getting it properly packaged and documented so that development managers and project managers will trust it, and get some tutorials together so that non-superhero developers can figure it out, is more important than any of the other projects that I have been following. Getting ESAPI 2.0 completed and documented properly, making sure that it can be used in all of the common languages, getting framework developers and open source projects to use ESAPI, presenting on it everywhere. Experts keep saying that it is stupid for developers to build their own security code (and after looking at the data validation routines in ESAPI I agree) so give them an alternative - a rock-solid, clearly usable, proven and open alternative that doesn't need consulting help to understand and implement. So that after you do build a bridge with developers, you can give them a tool that they can start using right away.

@John @Jim: brilliant guys, thank you for contributing to the open discourse. Almost as if the answers are consolidating and we're all coming to the similar conclusions about how to push things forward.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!